Leopard's built-in firewall is great, but as soon as you use web sharing (eg, for local testing), it is added to the allow list of the firewall (under "Set access for specific services and applications").

But it's easy to change that, and to block any incoming connection to your local web server from outside your Mac:

In the Finder (Go » Go to Folder...), go to folder /usr/sbin and locate the file httpd

Open System Preferences » Security » Firewall), and select the "Set access for specific services and applications" option.

Click on the "+" button at the bottom of the list, then drag the file httpd from /usr/sbin in the Finder to the Open dialog, then click Add (Validate).

In the list of services, locate httpd, then select "Block incoming connections" in the popup menu.

Note: you may wish to do the same for mysqld, located in /usr/local/mysql/bin. This way, you can use your local web server and MySQL from your Mac, but nobody can connect from the outside.

[robg adds: A commenter on the queue site notes that you can make these changes in the Apache and MySQL config files instead. In Apache's config file (/etc/apache2/httpd.conf), change Listen 80 to Listen 127.0.0.1:80. For MySQL, find the my.cnf file (usually in usually in /etc or /usr/local/etc), and look for the [mysqld] section of the file. Add either bind-address=127.0.0.1 or the more-restrictive skip-networking option to this file. Apparently skip-networking will still allow local connections via Unix socket, not TCP. The difference with this method is that you don't even need to use the built-in firewall.]

The "Allow only essential services" option really locks down the computer and blocks most services, like file sharing, remote access, screen sharing, iChat, etc. Although it will allow the Mac to announce itself via Bonjour, nobody will be able to connect to shared folders, for example. It can also prevent outbound services like TFTP (which can be used to upload files to routers for firmware flashing).